Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68818

CVE-2025-68818: Linux Kernel Use-After-Free Vulnerability

CVE-2025-68818 is a use-after-free vulnerability in the Linux kernel SCSI qla2xxx driver that causes NULL pointer dereference in target-mode. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-68818 Overview

A null pointer dereference vulnerability has been identified in the Linux kernel's SCSI qla2xxx driver. The flaw exists in the __qla2x00_abort_all_cmds() function, where code added to perform lockless command completion in the abort path failed to properly check the sp->cmd_type before assuming TYPE_SRB. This results in a jump to an invalid pointer when operating in target-mode with TYPE_TGT_CMD, causing a kernel crash.

Critical Impact

This vulnerability can cause a kernel NULL pointer dereference leading to system crash and denial of service, particularly affecting systems using QLogic Fibre Channel HBAs in target-mode configurations.

Affected Products

  • Linux kernel with qla2xxx SCSI driver
  • Systems using QLogic Fibre Channel Host Bus Adapters (HBAs)
  • Linux kernel versions prior to the security patch commits

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68818 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68818

Vulnerability Analysis

The vulnerability stems from a regression introduced in commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9, which modified the __qla2x00_abort_all_cmds() function to call sp->done() without holding a spinlock. The critical flaw is that this new code path failed to validate the command type before processing.

When the driver encounters a TYPE_TGT_CMD (target-mode command) instead of the assumed TYPE_SRB (SCSI Request Block), the function attempts to dereference a null or invalid pointer, resulting in a kernel oops with the error "kernel NULL pointer dereference, address: 0000000000000000".

The crash manifests during ISP (Intelligent Storage Processor) error recovery operations, specifically when the QLogic adapter experiences a system error (async event 0x8002) and attempts to abort all outstanding commands. The qla2x00_abort_isp_cleanup() path triggers the vulnerable code when processing commands that are not of the expected type.

Root Cause

The root cause is an improper type check in the lockless command completion code path within __qla2x00_abort_all_cmds(). The original problematic commit introduced code that assumed all SCSI Request Blocks (SRBs) would be of TYPE_SRB, but in target-mode operations, commands can be of TYPE_TGT_CMD. This type confusion leads to dereferencing an invalid function pointer when calling sp->done(), as the callback structure differs between command types.

Additionally, a subsequent commit (4475afa2646d) attempted to fix a race condition by restoring the spinlock, but this left the buggy type-assumption code in place, creating redundant and still-vulnerable code above the switch statement that properly handles different command types.

Attack Vector

The vulnerability is triggered locally through specific operational conditions rather than direct exploitation. The attack vector involves:

  1. A system configured with QLogic Fibre Channel HBAs operating in target-mode
  2. An ISP system error condition occurring (either naturally or induced)
  3. The error recovery path invoking qla2x00_abort_isp() which calls qla2x00_abort_all_cmds()
  4. The vulnerable code path processing TYPE_TGT_CMD commands without proper type validation

The vulnerability results in a kernel panic with the call trace showing:

  • __qla2x00_abort_all_cmds() in the qla2xxx module
  • Triggered during qla2x00_do_dpc() deferred processing context
  • CPU attempting to execute instructions at address 0x0

Detection Methods for CVE-2025-68818

Indicators of Compromise

  • Kernel panic messages containing "kernel NULL pointer dereference, address: 0000000000000000"
  • Call traces in kernel logs showing __qla2x00_abort_all_cmds and qla2xxx module references
  • System error async events (0x8002) from qla2xxx driver preceding crashes
  • ISP error recovery messages followed by system hangs or reboots

Detection Strategies

  • Monitor kernel logs (/var/log/kern.log, dmesg) for qla2xxx driver errors and NULL pointer dereference oops
  • Implement watchdog monitoring for unexpected system reboots on servers with QLogic HBAs
  • Review crash dumps for call traces originating from qla2xxx module functions
  • Deploy kernel tracing (ftrace/perf) on __qla2x00_abort_all_cmds to detect abnormal execution patterns

Monitoring Recommendations

  • Configure centralized logging to capture kernel panic events from affected systems
  • Set up alerting for qla2xxx driver error messages, particularly ISP System Error events
  • Monitor system uptime metrics for unexpected restarts on storage servers
  • Implement hardware monitoring for QLogic adapter health status

How to Mitigate CVE-2025-68818

Immediate Actions Required

  • Update the Linux kernel to a version containing the security fix commits
  • If immediate patching is not possible, consider temporarily disabling target-mode on affected QLogic HBAs
  • Review system logs for any evidence of past crashes related to this vulnerability
  • Schedule maintenance windows for kernel updates on production systems

Patch Information

The vulnerability has been addressed through multiple kernel commits that revert the problematic code and remove the redundant, buggy type-assumption logic. The fix ensures that command type validation is properly performed before calling completion callbacks.

Relevant patch commits are available from the Linux kernel stable tree:

Workarounds

  • Avoid using QLogic HBAs in target-mode configuration until patching is complete
  • Implement redundant storage paths to minimize impact of potential driver crashes
  • Configure kdump or other crash collection mechanisms to capture diagnostic information
  • Consider using alternative Fibre Channel drivers if target-mode functionality is not required
bash
# Check current kernel version and qla2xxx module
uname -r
modinfo qla2xxx | grep -E "^(version|filename)"

# Verify if the patch has been applied by checking module version
# or reviewing the kernel changelog for the fix commits

# Monitor for qla2xxx errors in real-time
dmesg -w | grep -i qla2xxx

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.